Upgraded deployments will create a log entry when the vmdir service starts stating that legacy ACL mode is enabled.
- Virtual Appliance Log File Location: /var/log/vmware/vmdird/vmdird-syslog.log
- Windows Log File Location: %ALLUSERSPROFILE%\VMWare\vCenterServer\logs\vmdird\vmdir.log
Example:
2020-04-06T17:50:41.859003+00:00 info vmdird t@139910871058176: Domain Functional Level (1)
2020-04-06T17:50:41.859668+00:00 info vmdird t@139910871058176: VmDirKrbInit, REALM (VSPHERE.LOCAL)
2020-04-06T17:50:41.860526+00:00 info vmdird t@139910871058176: ACL MODE: Legacy
2020-04-06T17:50:41.864522+00:00 info vmdird t@139910871058176: VmDirBindServer() end-point type (ncalrpc), end-point name (vmdirsvc) VmDirRpcServerUseProtSeq() succeeded.This vulnerability can be resolved by upgrading an affected deployment to 6.7u3f or 7.0.
Notes:
- In order to be affected by CVE-2020-3952, a deployment must meet 2 criteria. First, it must be a 6.7 deployment prior to 6.7u3f. Second, it must be running in legacy ACL mode.
- Because the ACL MODE: Legacy log entry is only thrown at vmdir startup, it is possible that it will be absent due to log file rollover even on affected deployments. If needed, you may use the commands "service-control --stop vmdird" and "service-control --start vmdird" to restart VMDIR service to check the logs during startup. Refer to How to Stop, Start or Restart vCenter Server 6.x Services for more information on restating vCenter Server services.
- In case of External PSC deployments, you need to check the logs on PSC as VMDIR service is running on Platform Services Controller
- The ACL MODE: Legacy log entry will still be thrown after upgrading to 6.7u3f and/or 7.0 even though CVE-2020-3952 is resolved in these releases.
The
Update History section of this article will be revised if there is a significant change. Click
Subscribe to be alerted when new information is added to this document and sign up at our
Security-Announce mailing list to receive new and updated VMware Security Advisories.